It has been discovered by "frosty_un" that a design flaw in Tor, an onlineprivacy tool, allows malicious relay servers to learn certain informationthat they should not be able to learn. Specifically, a relay that a userconnects to directly could learn which other relays that user is connected to directly. In combination with other attacks, this issue can lead to deanonymizing the user. The Common Vulnerabilities and Exposures project has assigned CVE-2011-2768 to this issue.

For the oldstable distribution (lenny), this problem has been fixed inversion 0.2.1.31-1~lenny+1. Due to technical limitations in the Debianarchive scripts, the update cannot be released synchronously with thepackages for stable. It will be released shortly.

For the stable distribution (squeeze), this problem has been fixed inversion 0.2.1.31-1.

For the unstable and testing distributions, this problem has been fixed inversion 0.2.2.34-1.

For the experimental distribution, this problem have has fixed in version0.2.3.6-alpha-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/